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About the Institute of Practitioners in Advertising 

The IPA, incorporated by Royal Charter, is a professional trade body for practitioners in 
advertising, media and marketing communications. It has a well-earned reputation amongst 
practitioners for thought leadership, best practice and continuous professional development 
and provides core support and advisory services for its corporate members which handle 
approximately 85% of the UK's advertising spend. The IPA has been established for over one 
hundred years and its learning programmes can be found in more than 87 countries 
worldwide. Its membership primarily comprises advertising and media agencies. 


Why UK agencies matter 

UK advertising, media and marketing communications agencies sit at the heart of a much 
larger UK creative industries ecosystem. IPA members employ some 25,000 people in an 
industry that spends approximately £23.6 billion, annually, on advertising (AA/Warc 
Expenditure Report 2018). Because of the nature of agencies’ work, they also directly impact 
other companies’ growth prospects: for example, advertisers (domestic and global) and 
other creative businesses, such as production companies. Advertising fuels the UK's 
economy. 


IPA approach to this consultation 

The IPA welcomes the opportunity to respond to this consultation. Rather than responding 
to the questions set out in the consultation document, we are better able to provide our 
comments on the draft code by way of this letter. 


Comments on the draft code 


General comments 
In our view, the draft code is mostly clear, easy to understand and to navigate and it covers 
the issues we would have expected. 


Good Practice Recommendations 

The code will serve as a useful, practical guide to assist organisations in complying with 
data protection laws. We note that adherence to the code will be “a key measure" of an 
organisation's compliance but welcome the ICO's confirmation that the code “does 

not impose any additional legal obligations that go beyond the requirements of the GDPR or 
PECR". 


However, the code also contains good practice recommendations which, it states, are 
"optional" and "without the status of legal requirements". Whilst the code clarifies that “there is 
no penalty for failing to adopt good practice recommendations" (provided the law is still 
complied with), we would welcome confirmation as to the status of these 
recommendations, for example, to what extent the ICO may rely on them as part of its 
assessment of an organisation's compliance with the law. Some of the recommendations do 
appear to go beyond the law. For example: 


e “get consent for all your direct marketing regardless of whether PECR requires it or 


not". As the code itself explains (reflecting Recital 47 GDPR), “the GDPR says that 
direct marketing may be a legitimate interest”. It is surely for the controller to 
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determine the lawful basis by which it processes personal data for direct marketing 
purposes? 


e “When sending direct marketing to new customers on the basis of consent collected 
by a third party we recommend that you do not rely on consent that was given more 
than six months ago.’ This seems an arbitrary timeframe that does not take into 
account the fact that many services depend on long lead-times where the 
consumer will benefit from receiving marketing communications later than 6 
months from the date of consent. 


Online behavioural advertising 
The code suggests that “online behavioural advertising and some types of social media 


marketing are not classed as electronic mail under PECR but these are still direct marketing 
communications”. It goes on to explain that "The key element of the definition is that the 
marketing material must be ‘directed to’ particular individuals" and gives the example of 
“online advertising that is targeted to a particular individual". 


We do not agree that online behavioural advertising is targeted to particular individuals, 
particularly in comparison to, for example, personally addressed post, calls to a particular 
telephone number or emails sent to a particular email account. Online behavioural 
advertising is used to target audiences, not individuals. 


In-app messaging 
The code explains that the PECR rules apply to specific types of electronic communication, 


including in-app messages, and that in-app messages are “electronic mail” as defined in 
Reg. 2 of PECR. We would welcome an explanation as to why in-app messages fall within 
the definition, and some examples of in-app messages intended to be included within the 
definition. 


DPIAs 

The code includes a list of five operations requiring a DPIA and which are relevant to direct 
marketing. It explains that while some of these operations may require a DPIA automatically, 
others will “if they occur in combination with any other criterion from the European guidelines 
on DPIAs". We would appreciate clarification as to which operations these are. 


Further, we would appreciate guidance on how to determine what are “suitable intervals" for 
reviewing DPIAs during longer term projects. 


Custom Audiences 

The code suggests that consent is likely to be the appropriate lawful basis for this type of 
processing “as it is difficult to see how it would meet the three-part test of the legitimate 
interests basis”. Our understanding is that this type of processing is isolated to the marketer's 
selected platform and its own pre-existing customer list. It does not, typically, involve large 
volumes of data being processed across various platforms. 


As stated above, direct marketing may be a legitimate interest under the GDPR. We believe 
that, if social media marketing can amount to direct marketing, marketers using custom 
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audience-type marketing communications ought to be able to rely on legitimate interests as 
their lawful basis since they will be processing personal data to market to their existing 
customers (provided, of course, that they can satisfy the three-part test). 


Lookalike audiences 

The code suggests that because the marketer will have instigated the processing and 
provided the platform with the initial dataset, it is likely that the parties will be joint 
controllers. However, if social media marketing can amount to direct marketing, our 
understanding is that in this scenario, the marketer will supply its own dataset, and the social 
media platform will then compare that dataset with its own. Since both organisations will, 
therefore, be using different datasets for this processing, we question whether, instead of 
joint controllers, they would be independent controllers for the processing of their distinct 
datasets? 


Disproportionate effort exemption 
The code suggests that organisations are unlikely to be able to rely on the disproportionate 


effort exemption to the Art 14 GDPR obligation to provide privacy information, where they 
are "collecting personal data from various sources to build an extensive profile of an 
individual's interests and characteristics for direct marketing purposes”. Our understanding is - 
considering also the code's explanation on ensuring a “proportionate balance between the 
effort involved for you to give privacy information and the effect of the processing on the 
individual" - that organisations are more likely, then, to be able to rely on the exemption 
where they are acquiring data from third parties for their own direct marketing purposes. 
However, organisations that collate data from other sources for selling on to organisations 
wishing to use that data for their own direct marketing purposes, would not be covered by 
the exemption. 


If our understanding is correct, this stance would have a dramatic - and damaging - effect 
on data brokers and similar organisations that collate and sell data to others, with a ‘knock- 
on’ effect for those organisations that rely on such data. Further, it would result in data 
subjects receiving numerous privacy information communications from numerous 
organisations. 


Duration of consent 


The code provides guidance on the likely duration of consent obtained from third parties. 
Equivalent guidance regarding first party consent would also be useful. 
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